Week in Review, 25th August 2017

Get the latest security news in your inbox.

I have to thank our editor-in-chief, Kate Brew, for stepping in to compile the week in review last week while I was out topping up my tan on holiday.

So without further ado, let’s dive right in.

Buckets of insecurity

I think this is the week that unsecured Amazon S4 bucket leaks have officially jumped the shark. It’s an almost weekly occurrence, and continues to shine a spotlight on how many organisations simply lack the skills in how to properly secure their cloud environments, or obtain any form of assurance.

Enigma Compromised

Enigma, a decentralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam.

Having worked over a decade in banking, I’m not the biggest fan of the layers of regulation required in financial services. But as we’re seeing with cryptocurrency, a little additional security can go a long way.

Boarding passes and stolen accounts

This isn’t a new attack vector. I remember reading about similar attacks not too long ago, but it bears repeating that if you post photos of barcodes, particularly the ones on your airline flights, it’s likely someone can gain access to your account.

Ransomware changed the rules

Another good and insightful post by the Grugq in which he elaborates on a statement (which received some push back on Twitter) on why ransomware (authors and criminals) are doing more to advance the state of cyber security readiness than the last 10 RSA conferences.

A controversial statement for sure, but the article makes some valid points that are worth pondering over.

Accept Ts & Cs or be left with a brick

Sonos is the latest company to throw customer care to the wind and try and dictate all the terms. It has released a new privacy policy that gives it the ability to, well, basically use the information it collects in any way that it wants. There is no ‘opt out’ for customers and those that don’t choose to accept the new policies could end up with a rather expensive brick.

The problem here is that this sets a bad precedent. Going forward, so-called ‘smart’ devices will only increase. To the point that it will probably be impossible to buy a ‘dumb’ device that doesn’t have some form of connected functionality. It gives corporations access to the most innermost and most private areas of people's lives.

I wonder how long before hackers start releasing their own firmware variations for Sonos and other devices, as they did for John Deere tractors.

The Spyware App Store

Google has pulled 500 apps with over 100 million downloads from its official Play store after it was alerted by researchers to a secret backdoor that could allow developers to install a range of spyware at any time.

I don’t envy the job of those that have the responsibility to vet apps to ensure they are all legitimate without any malware. What is really interesting about this story is that the apps contained an SDK called lgexin – and it’s likely a lot of the developers themselves weren’t aware of the backdoor.

It’s another case of supply chain security – but with a good collaborative defensive effort. So, I guess it’s a good job and a pat on everyone's back for making it through another week.

About the Author:Javvad MalikThe man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›